Citrix Bleed - a new internet facing vulnerability, again
Not a month passes before another zero-day vulnerability affecting internet facing devices is disclosed.
This time it's Citrix again (after this summer's zero-day bug): on October 10th, 2023, Citrix published a patch for their Netscaler ADC and Netscaler Gateway products, addressing a vulnerability now known as Citrix Bleed (CVE-2023-4966).
The "Bleed" nickname was given because the vulnerability can leak sensitive information from the device’s memory, which can include session tokens that attackers can use to gain a foothold into systems via session hijacking.
Both Palo Alto Networks and Mandiant are reporting widespread exploitation of this vulnerability in the wild. Specifically, Mandiant has identified early attempts since at least August, months before patches are released and distributed.
Palo Alto Networks' sensors indicate nearly 8,000 IP addresses advertising a vulnerable version of NetScaler Gateway and 6,000 IPs advertising NetScaler ADC devices. The largest number (3,100) of these devices are located in the United States, 800 are in Germany, 450 in China and 400 in the United Kingdom.
CVE-2023-4966 has also recently been added to CISA's Known Exploited Vulnerabilities Catalog, another indicator this is a serious threat.
It appears the vulnerability is being used by ransomware threat actors. As Citrix devices usually publish and expose VDI (remote desktop) infrastructure, the vulnerability allows them to gain unauthorized access to Windows remote desktop devices. From there, attackers are seen dropping additional tooling, such as remote PowerShell sessions and executing various reconnaissance commands to enable lateral movement.
This latest zero-day is just one of a series being exploited even before the vendor is aware of the vulnerability.
This problem is compounded by slow patch rollout, which is particularly the case for on-premise equipment published on the internet. Such devices take especially long to get patched (maintenance windows are farther apart) - months usually elapse before devices are secured (see example here).
In practice, vendors are much quicker to patch and investigate vulnerabilities which affect their own services offered as SaaS infrastructure, typically reacting faster and committing more resources into investigation efforts, something on-prem customers are rarely able to do.
For example, in case of the latest zero-days (CVE-2023-4966 and CVE-2023-3519), Citrix was keen to deploy mitigation measures and patches on its managed services estate immediately upon discovery.
That's why in its bug advisories, while urging on-prem customers to patch as soon as possible, they point that "customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action".
In other words, they've patched the servers themselves before finding time to release and distribute patches to vulnerable on-prem customers scrambling to secure their VDI hosts.
With threat actors now focusing on network devices, publishing internet facing ports on-premise is slowly becoming untenable and should be viewed as a huge risk. Using solutions which are delivered as a managed SaaS offering, in this case SASE or Firewall-as-a-service, should mitigate those risks - a fact still often missed by security professionals and CIOs.